List of usage examples for java.security.cert X509CRLSelector X509CRLSelector
public X509CRLSelector()
From source file:mitm.common.security.crl.CRLLocator.java
public List<X509CRL> findCRLs(X509Certificate issuer) throws NoSuchProviderException { List<X509CRL> crls = new LinkedList<X509CRL>(); X509CRLSelector crlSelector = new X509CRLSelector(); crlSelector.addIssuer(issuer.getSubjectX500Principal()); /* /*from w w w . ja v a2 s. c o m*/ * step through all the stores and get all the relevant CRLs from the stores */ for (BasicCRLStore store : crlStores) { try { CloseableIterator<? extends CRL> crlIterator = store.getCRLIterator(crlSelector); try { while (crlIterator.hasNext()) { CRL crl = crlIterator.next(); if (!(crl instanceof X509CRL)) { logger.warn("Only X509CRLs are supported. Skipping this CRL."); continue; } X509CRL x509CRL = (X509CRL) crl; if (acceptCRL(issuer, x509CRL)) { crls.add(x509CRL); } } } finally { crlIterator.close(); } } catch (CRLStoreException e) { /* * log and continue search * */ logger.error("Error getting CRLs. Skipping this store.", e); continue; } catch (CloseableIteratorException e) { /* * log and continue search */ logger.error("Error stepping through the CRL store. Skipping this store.", e); continue; } } return crls; }
From source file:mitm.common.security.crl.CRLStoreMaintainerImpl.java
private CloseableIterator<X509CRL> getCRLsWithSameIssuer(X509CRL crl) throws CRLStoreException { Check.notNull(crl, "crl"); X509CRLSelector crlSelector = new X509CRLSelector(); crlSelector.setIssuers(Collections.singletonList(crl.getIssuerX500Principal())); CloseableIterator<X509CRL> iterator = crlStore.getCRLIterator(crlSelector); return iterator; }
From source file:mitm.common.security.crlstore.hibernate.X509CRLStoreExtHibernateTest.java
@Test public void testGetAllCRLs() throws Exception { // get CRLS does not have a @StartTransaction so auto commit should make no difference X509CRLStoreExt crlStore = new X509CRLStoreExtAutoCommitFactory(sessionSource, "test").create(); addTestCRLs(crlStore);/* ww w . j av a 2s . com*/ X509CRLSelector selector = new X509CRLSelector(); Collection<? extends CRL> crls = crlStore.getCRLs(selector); assertEquals(5, crls.size()); }
From source file:mitm.common.security.crlstore.hibernate.X509CRLStoreExtHibernateTest.java
@Test public void testGetCRLIterator() throws Exception { // get CRLS does not have a @StartTransaction so auto commit should make no difference X509CRLStoreExt crlStore = new X509CRLStoreExtAutoCommitFactory(sessionSource, "test").create(); addTestCRLs(crlStore);//from w ww . j a va2 s . c o m X509CRLSelector selector = new X509CRLSelector(); CloseableIterator<? extends CRL> iterator = crlStore.getCRLIterator(selector); assertTrue(!iterator.isClosed()); List<? extends CRL> crls = CloseableIteratorUtils.toList(iterator); assertTrue(iterator.isClosed()); assertEquals(5, crls.size()); }
From source file:mitm.common.security.crlstore.hibernate.X509CRLStoreExtHibernateTest.java
@Test public void testGetCRLEntryIterator() throws Exception { // we should not use the auto commit because the iterator must have a valid transaction X509CRLStoreExt crlStore = new X509CRLStoreExtInjectSessionFactory(sessionSource, "test").create(); Transaction tx = sessionSource.getSession().beginTransaction(); addTestCRLs(crlStore);/* w w w.j a v a 2s. c om*/ X509CRLSelector selector = new X509CRLSelector(); CloseableIterator<? extends X509CRLStoreEntry> iterator = crlStore.getCRLStoreIterator(selector); assertTrue(!iterator.isClosed()); List<? extends X509CRLStoreEntry> crls = CloseableIteratorUtils.toList(iterator); assertTrue(iterator.isClosed()); assertEquals(5, crls.size()); tx.commit(); sessionSource.getSession().close(); }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
@Override public RevocationResult getRevocationStatus(CertPath certPath, TrustAnchor trustAnchor, Date now) throws CRLException { Check.notNull(certPath, "certPath"); Check.notNull(trustAnchor, "trustAnchor"); List<? extends Certificate> certificates = certPath.getCertificates(); RevocationResult revocationResult = new RevocationResultImpl(certificates.size()); /* //from ww w.j a v a2 s . c om * Step through all the certificates in the path and check the revocation status of all * the certificates in the path. */ for (int i = 0; i < certificates.size(); i++) { X509Certificate certificate = toX509Certificate(certificates.get(i)); PublicKey issuerPublicKey; X500Principal issuer; X509Certificate issuerCertificate; /* * we need to get the issuer of the current certificate * check if there is a next certificate in the path or that we must use the TrustAnchor */ if ((i + 1) == certificates.size()) { /* this was the last entry from the path so we must use the trust anchor */ if (trustAnchor.getTrustedCert() != null) { issuerCertificate = toX509Certificate(trustAnchor.getTrustedCert()); issuerPublicKey = issuerCertificate.getPublicKey(); issuer = issuerCertificate.getSubjectX500Principal(); } else { /* the TrustAnchor does not contain a certificate but only an issuer and public key */ issuerCertificate = null; issuerPublicKey = trustAnchor.getCAPublicKey(); issuer = trustAnchor.getCA(); } } else { /* get next entry from path ie. the issuer of the current certificate */ issuerCertificate = toX509Certificate(certificates.get(i + 1)); issuerPublicKey = issuerCertificate.getPublicKey(); issuer = issuerCertificate.getSubjectX500Principal(); } /* * sanity check to make sure the CertPath is ordered from end -> final CA * ie that the next certificate signed the previous certificate */ verifyCertificate(certificate, issuerPublicKey); /* * Sanity check. The issuer principal field of the certificate currently checked should * normally be equal to the issuer principal. */ if (!certificate.getIssuerX500Principal().equals(issuer)) { logger.warn("Certificate issuer field is not equal to issuer."); } if (issuerCertificate != null) { Set<KeyUsageType> keyUsage = X509CertificateInspector.getKeyUsage(issuerCertificate); /* * check if issuer is allowed to issue CRLs (only when we have an issuerCertificate, and * a key usage extension) */ if (keyUsage != null && !keyUsage.contains(KeyUsageType.CRLSIGN)) { logger.debug("Issuer is not allowed to issue CRLs."); /* * We will return UNKNOWN status. */ RevocationDetailImpl detail = new RevocationDetailImpl(RevocationStatus.UNKNOWN); revocationResult.getDetails()[i] = detail; /* there is no need to continue because issuer is not allowed to issue CRLs */ break; } } X509CRLSelector crlSelector = new X509CRLSelector(); /* create a selector to find all relevant CRLs that were issued to the same issuer as the certificate */ crlSelector.addIssuer(issuer); try { List<X509CRL> crls = findCRLs(certificate, crlSelector, issuerPublicKey, now); RevocationDetail detail = getRevocationDetail(crls, certificate, issuerCertificate, issuerPublicKey, now); revocationResult.getDetails()[i] = detail; if (detail.getStatus() == RevocationStatus.REVOKED) { logger.warn("Certificate is revoked."); if (logger.isDebugEnabled()) { logger.debug("Revoked certificate: " + certificate); } /* there is no need to continue because the CRL is revoked */ break; } } catch (NoSuchProviderException e) { throw new NoSuchProviderRuntimeException(e); } } if (logger.isDebugEnabled()) { logger.debug("Revocation status for CertPath " + certPath + " and TrustAnchor " + trustAnchor + " is " + revocationResult); } return revocationResult; }
From source file:mitm.common.security.crlstore.hibernate.X509CRLStoreExtHibernateTest.java
@Test public void testGetCRLEntryIteratorNoCRLs() throws Exception { // we should not use the auto commit because the iterator must have a valid transaction X509CRLStoreExt crlStore = new X509CRLStoreExtInjectSessionFactory(sessionSource, "test").create(); Transaction tx = sessionSource.getSession().beginTransaction(); X509CRLSelector selector = new X509CRLSelector(); CloseableIterator<? extends X509CRLStoreEntry> iterator = crlStore.getCRLStoreIterator(selector); assertTrue(!iterator.isClosed());/*from w ww. j av a2 s. co m*/ List<? extends X509CRLStoreEntry> crls = CloseableIteratorUtils.toList(iterator); assertTrue(iterator.isClosed()); assertEquals(0, crls.size()); tx.commit(); sessionSource.getSession().close(); }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
private DeltaCRLStatus getDeltaCRLStatus(X509Certificate targetCertificate, X509CRL deltaCRL, PublicKey issuerPublicKey, Date now) throws NoSuchProviderException { DeltaCRLStatus status = DeltaCRLStatus.UNKNOWN; BigInteger baseCRLNumber;/* ww w. j a va 2 s . c o m*/ try { baseCRLNumber = X509CRLInspector.getDeltaIndicator(deltaCRL); } catch (IOException e) { logger.error("Error getting base CRL number", e); return DeltaCRLStatus.UNKNOWN; } X509CRLSelector crlSelector = new X509CRLSelector(); /* We need to find a valid base CRL with the same issuer as the delta CRL */ crlSelector.addIssuer(deltaCRL.getIssuerX500Principal()); /* * we need to find a baseCRL with at least a CRL number specified by the DeltaCRLIndicator in * the delta CRL */ crlSelector.setMinCRLNumber(baseCRLNumber); BigInteger deltaCRLNumber = null; try { deltaCRLNumber = X509CRLInspector.getCRLNumber(deltaCRL); } catch (IOException e) { logger.error("Error getting CRLNumber extension from the delta CRL.", e); } if (deltaCRLNumber != null) { /* * the base CRL we need to find should have a CRL number less than the delta CRL * otherwise it cannot be a base for this delta CRL */ crlSelector.setMaxCRLNumber(deltaCRLNumber.subtract(BigInteger.valueOf(1))); List<X509CRL> crls = findCRLs(targetCertificate, crlSelector, issuerPublicKey, now); for (X509CRL baseCRL : crls) { try { if (checkDeltaCRL_6_3_3_b(targetCertificate, deltaCRL, baseCRL)) { status = DeltaCRLStatus.OK; break; } } catch (IOException e) { logger.error("Error executing checkDeltaCRL_6_3_3_b.", e); continue; } if (hasUnsupportedCriticalExtensions(baseCRL)) { logger.warn("The base CRL has unsupported critical extensions."); status = DeltaCRLStatus.UNSUPPORTED_CRITICAL_EXTENSION; continue; } } } return status; }
From source file:org.globus.gsi.CertificateRevocationLists.java
public synchronized void reload(String locations) { if (locations == null) { return;//from ww w . ja v a 2 s.co m } StringTokenizer tokens = new StringTokenizer(locations, ","); Map<String, X509CRL> newCrlIssuerDNMap = new HashMap<String, X509CRL>(); while (tokens.hasMoreTokens()) { try { String location = tokens.nextToken().toString().trim(); CertStore tmp = Stores.getCRLStore("file:" + location + "/*.r*"); Collection<X509CRL> coll = (Collection<X509CRL>) tmp.getCRLs(new X509CRLSelector()); for (X509CRL crl : coll) { newCrlIssuerDNMap.put(crl.getIssuerX500Principal().getName(), crl); } } catch (Exception e) { throw new RuntimeException(e); } } this.crlIssuerDNMap = newCrlIssuerDNMap; }